Sony CD protection sparks security concerns

A correction was made to this story. Read below for details.

Mark Russinovich was doing a routine test this week of computer security software he'd co-written, when he made a surprising discovery: Something new was hiding itself deep inside his PC's guts.

It took some time for Russinovich, an experienced programmer who has written a book on the Windows operating system for Microsoft, to track down exactly what was happening, but he ultimately traced it to code left behind by a recent CD he'd bought and played on his computer.

The Sony BMG-produced Van Zant album had been advertised as copy-protected when he'd bought it on Amazon.com, and he'd clicked through an installation agreement when he put the disc in his computer. What he later found is that the software had used a sophisticated cloaking technique that involves a "rootkit"--something not dangerous in itself, but a tool often used by virus writers to hide all traces of their work on a computer.

"We're still trying to find a line between fair use and digital rights management, and it is going to take issues like this, with discussions between lawmakers and industry, to come up with what's fair and honest," Russinovich said. "But I think this has gone too far."

Russinovich posted a detailed step-by-step account of his findings on his blog, drawing immediate criticism of SonyBMG's technology from some inside the security software community. The passionate response underlines the power copy protection retains to inflame emotions and spark bitter debate, despite the growing string of chart-topping albums that have been released over the past year with the protections included.

A handful of security companies weighed in on the issue, saying the rootkit could present a possible--if still theoretical--risk to computers.

The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk. The company's team has worked regularly with big antivirus companies to ensure the safety of its software, and to make sure it is not picked up as a virus, he said.

In any case, First 4 has moved away from the techniques used on the Van Zant album to new ways of cloaking files on a hard drive, said Mathew Gilliat-Smith, the company's CEO.

"I think this is slightly old news," Gilliat-Smith said. "For the eight months that these CDs have been out, we haven't had any comments about malware (malicious software) at all."

A SonyBMG representative said the software could be easily uninstalled, by contacting the company's customer support service for instructions. Those instructions are not specifically available on the Web site that answers questions about the company's copy protection tools.

Rootkit realities
Rootkit software has been around for over a decade but has recently come to increased prominence as more writers of viruses and the like adopt it for their purposes. Essentially, rootkits are tools for digging deep into a computer's operating system to hide the fact that certain software files exist or that the computer is performing certain functions.

Unlike other, less-powerful means of hiding files on a hard drive, rootkits are created to be extraordinarily difficult to uninstall without specific instructions, rooting themselves in an operating systems' deepest recesses in order to prevent their deletion.

In the case of the SonyBMG software, trying to remove it manually could shut off access to the computer's CD player, researchers said.

Security researchers note that simply hiding something doesn't make it a threat, and the SonyBMG software is designed to hide the digital rights management tools that prevent unauthorized copies of the CD from being made.

However, it does remain active in the background of a computer, taking up a small amount of memory, even when the CD is not being played. Thus the rootkit software does have the potential to be misused by others, according to some researchers. The First 4 Internet software's technique for hiding files is broad enough that it could be adopted by virus writers, allowing them to hide their own tools on computers that have run the software from the CD, say some security experts.

That's an "academic" concern, but a real one, said F-Secure Chief Research Officer Mikko Hypponen, who wrote a warning on the issue Tuesday.

"Obviously there are a lot of people who don't like the technology, and we will take note if we need to."

--Mathew Giliat-Smith, CEO, First 4 Internet

"Right now if you have this on your system, there is no real-world risk just because of this," Hypponen said. "But it would not be too far-fetched that some virus writer would try to take advantage of this."

Giliat-Smith said his company is working with major antivirus software companies to help their software recognize the copy-protection tools and help guard against misuse.

A balancing act
The criticism over the protection technology highlights the careful balance record labels are trying to strike as they seek ways to guard their discs against copying.

Label executives have increasingly shifted their public piracy concerns from Internet file-swapping to the effect of widespread CD burning. The Recording Industry Association of America cites recent research from marketing specialist NPD Group showing that 29 percent of consumers' new music is acquired through ripping or burning a copy of a CD.

The CD copy protection tools now on the market do let consumers make copies of the music, both in the form of digital files on their computer and a limited number of backup CDs. Labels say they support both these activities, as long as they're for personal use.

The files that can be ripped to computers from these discs cannot be played on iPod MP3 players, however. The labels say they have not yet been able to persuade Apple Computer to include this capability.

Several earlier versions of copy protection were widely mocked online for being trivially easy to circumvent, by using techniques that included holding the computer's "shift" key down while starting, and coloring the rim of a CD with a magic marker.

Later versions of the technology, such as that produced by First 4 Internet, have made it more difficult to disable while still allowing the discs to be played on most computers.

"Obviously there are a lot of people who don't like the technology, and we will take note if we need to," Gilliat-Smith said. "Our approach is to make the balance between protection and the consumer experience the best that we can make it for our customers."

 

Correction: This story originally implied that Symantec approved First 4 Internet's "rootkit" software. It did not.

[ballssalty]

It's still a joke

All you have to do in XP is disable autorun. With autorun disabled it cannot install anything. You would have to physically doubleclick the executable. And if you did that on a music CD you deserve to be stuck with this mess.

[macslut]

Gee now that pirated music is a superior product...

Record companies need to realize that there is no such thing as copy protection. Unless they can invent a time machine, people will always be able to VERY easily copy CDs. All of these copy protection scams just cost them money for licensing and result in reduced sales along with increased returns.

The Audio CD has a spec that many non-conventional CD devices rely upon for compatibility. This includes not only computers of many platforms, but also high-end car stereo systems and so forth.

Many of us see these "fake" CDs as just paying more $$$ for a product that is inferior to what can easily be pirated off the net, since the net version can be with a lossless codec (FLAC/ALE/etc) and without the annoying copy-protection.

Dreadful reporting

This article misses the point. Highly invasive software that can corrupt Windows was installed by Sony without the user's knowledge or permission. The software is hidden, extremely low level, and impossible to remove by any malware tools. Normal use of the computer can cause Windows' devices to become inaccessible, forcing the user to reformat and reinstall Windows.

Involuntary installation of software on computers is explicitly illegal in numerous US states, and is an unsafe unprofessional way to implement DRM. To make matters worse, Sony seems to have employed this technique in thousands of their current CDs.

To gloss over these facts minimizes the severity and inappropriateness of Sony's actions.

[Had_to_be_said]

This is more than a mis-step... It is a criminal-offense.

Lets see. "Sony" has just admitted "hacking" peoples computers, installing hidden "viral" software, which "limits functionality", and cannot be easily removed without seriously-damaging software-installations. And, obviously, this will also effect the "private-data" on any affected systems if the, only real, "repair option" is "reformatting".

There are numerous State, and Federal, "Computer Abuse" statutes on the books, which are clearly being directly-violated by this intentional-action on Sonys part. In fact, these exact actions are quite expressly described, in great detail, in many of these laws.

Furthermore, Sony should be held liable for any "damages" that their illicit "software" causes, including lost-time, productivity, and any personal data-losses, just as these LAWS require.

And, guess what? I know from personal-experience that "XP" already has real problems with "CD I/O operations", being caused, by any software changing related "core drivers". So, it is only a matter of time before the lawsuits start rolling-in.

Id say that $3000.00 to $5000.00 per instance would be a reasonable "award". And, this should be on top of the Criminal-Proceedings.

And, I wont even go into the issue of the violation of my legal-rights, as a consumer.

Rootkit requires root, duh...

Why would anyone with this "victim's" huge amount of
knowledge about computers be running as the root user? Sorry,
"Administrator", in Window's terms. For 30 years users of
multiuser systems have been told, on day one of class, to never,
never, never log into your computer as root to do normal tasks.
You use root to administer your computer, and then get out
immediately and log in as a normal user.

So, when you don't run as root, programs you run cannot write
to sensitive areas of the registry, and rootkits are essentially
powerless.

Stop purchasing software to protect your computer against
malicious software that would otherwise be rendered useless if
you just ran as an ordinary user instead. The unix community is
laughing at you every day when you open your wallets.

Stop using the Administrator user. Save some money.

[CagedAnimal]

Taking the law into their own hands....

So I guess if it prevents something illegal, anything the music industry is justified in its actions. It is just like saying I have the right to hack into a person's bank account to wire their unpaid debts to my account.

[JohnGlenn]

Sony has LOST its DIRECTION as an ELECTRONICS company

Sony has LOST its direction as an ELECTRONICS Giant and trend-setter. This was once a proud company on whom consumers could count on to deliver the most imaginative ELECTRONIC products, but today all we ever hear about Sony seems to be more about how to protect the contents of a CD and less and less about the types of products its rivals (Read APPLE Computer) are able to churn out at will.

Sony (SLOWLY!) do you remember your Mission Statement? I do not think you were created as a record company; to the contrary, you were created as an electronics company first and foremost. Lest go back to making great ELECTRONIC products people want to buy instead of the lackluster (Me Too\Catch-up) products you seem to be forcing on your customers these days. Perhaps it's time that you UNLOAD the record division and FOCUS on your CORE business.

I am a devoted, but sad fan.

[ballssalty]

I disagree

There is no benefit to autoplay, none whatsoever. I can't imagine how anyone can leave it active and not be so insanely infruriated everytime they insert a disc.

I have a media center PC and have autorun disabled. No benefit.

[zaznet]

Typical: Hurt the consumer, not the theif.

The typical solution for copyright owners is to cause harm and prevent fair use by the end user. The true consumer who paid is the one who is harmed by such copy protections.

Someone seeking to copy and distribute the media online would never install the DRM software to begin with. The installer should ask "Do you want to disable certain features in your computer to protect OUR rights?" when installing.

[mariusthull]

How about this.....

If you see a music cd or Movie DVD and it says it has copyright protection don't buy it. Or, write your state and federal officals to have a law passed that requires a written explaination of exactly what form the copyright protection takes be put right on the case. While there at it they can clearly define the terms under which the purchaser my make copies, how many and the purposes for said copies. All of us should also get into the habit of reading the ELUAs that come with our software.

If this story upsets you the best thing to do is to become an educated consumer.

[Stating]

What Else Will Sony Do?

Now that they have surreptitiously installed a rootkit, why not just send a little message back to headquarters over the broadband connection that tells them everytime the CD is played? Oh, and why not rifle through the computers's playlists to see what other music lives on the computer? I am sure the Marketing guys would love to know these things. The possibilities are endless, all under the guise of copyright protection and buried in a 10 page EULA that you have to read in a tiny scroll box while you are in a hurry to play that new song you just traipsed to the mall to buy.

[BlueScreenOfDeath]

How to disable autorun...

Perhaps someone should post how to disable cd autorun on WinXP/2000/98 systems. Win2000's "Help" system isn't very helpful...

[jetstoya]

I don't buy anything Sony anymore!

These guys sitting back counting their pennies making hundreds of thousands of dollars a year make me puke. The executives of Sony are so worried about losing a couple bucks to the little guy that they have lost sight of what's important. I don't buy anything Sony anymore!

[bhayden]

Possibly underestimating the threat

I think that a careful reading of Mark Russinovich's original post would cause more concern than has been evidenced by this article and the commenters thereof.

First of all, the Sony DRM root kit does system call hooking. Kernel mode APIs are invoked via entries in the kernel's system service table. Legitimate kernel routines are located in the kernel. But in the case of system call hooking, some other routine is substituted in that table, and it is typically not located in the kernel. The Sony DRM substitute APIs are not, potentially causing what Mark terms a "race condition". He says "It?s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory".

Secondly, the Sony code not only uses up memory, but is a constant drain on CPU resources, regardless of whether or not a CD is in the drive. Apparently, every two seconds it scans the executables of all running processes and queries basic information about each of those executables eight times per scan (is that bad programming or what?)

As a final note, I am trying to pull together as much of this information as I can, and, in particular, the legal ramifications, at: http://bhayden.blogspot.com/

[H Voyager]

So that's what that unidentified program was

I had figured it was some new virus that my scanners weren't picking up. I ended up having to do a low level format to get it off of my hard drives, and wiped my backups, because I didn't know how far the infection had gone.

I'd say I was angry except I think I'm so far beyond that point that the term no longer applies.

[bobby_brady]

Sony, now hiding malware like programs

from their customers. Sony has really hit a new low!

I was just in the market for a new television, and thought of the Sony Trinitron. But I've been afraid to even purchase one, because I believe it has software installed that will prevent me from watching my MPEG files. I have Media Center 2005 installed.

[gravrdr]

that's why i don't buy anymore

When the record companies stop trying to "copy protect" everything then i will by music again. I still can't understand what all the fuss is about. Once I have bought (or anyone has for that matter, bought a CD then it belongs to them. We should be able to use it how we see fit and across as many devices as an individule owns. Those greedy MFs in the RIAA MPAA are hurting themselves. Untill they come to their sences i have personaly boycotted the purchase of any copy protected cd's. I think it's time the real Hackers out there declare cyber war on hte companies that are doing this and hit them where it will hurt the most. Utter data destruction. let them try to creat new copy protection schemes when they can't even get their own systems to run.

[ajbright]

AnyDVD

I have a program called AnyDVD (slysoft.com) that removes the copy protection from any CD or DVD on my PC.

One of it's side effects is it prevents this "virus" from being installed on your PC, and the CD is presented to all your media software as protection-free.

The only downside is that after 20 days you have to register (buy) the software if you want to keep using it.

Personally I've found that this and CloneDVD2 are the best DVD backup programs out there - they're both easy to use and are continuously updated to protect you against the latest copy protections placed on CDs or DVDs.

Are they legal, probably not - but then as far as I'm concerned until Hollywood and the music industry comply with the fair use provisions of the DCMA, their products aren't legal either.

[wcattey]

I don't buy media from companies that treat me like a criminal.

I've done work with online data media repositories.
I am very respectful of copyright both at work and at home.

There have been times when negotiations for media broke
down because the vendor insisted on treating customers
pre-emptively like criminals.

Sony has gone WAY too far in its approach to Digital Rights
management by Installing software and then
masking its presence.

I will be buying NO SUCH media. And I will encourage my
friends and colleagues to boycott Sony and BMI until this
extreme DRM approach is abandoned.

William Cattey
Software Project Manager
Massachusetts Institute of Technology

[wallybass]

"No comments" - baloney

>>"I think this is slightly old news,"Gilliat-
Smith said. "For the eight months that these CDs
have been out, we haven't had any comments about
malware (malicious software) at all."<<

Let me translate this.

"Since most people lack the skills of
Russinovich, no one else so far has been able to
track any of the system failures that we have
induced back to us. You see, we spent an
extraordinary amount of time covering our tracks
by cloaking things that people would normally
able to see in their systems.

"As to the (probably thousands of) poor smucks
whose CD disappeared due to our code, or who blue
screened, or whatever, and who spend hours
trying to figure out what was wrong, and then
more hours rebuilding their systems - well - who
cares. They didn't trace it back to us - it
doesn't affect our bottom line."

I really love his attitude: "well, we knew that
we screwed you eight months ago - boy are you
guys dummies that you only now have figured it
out."

Hopefully, a good case will be made against these
clowns, and Sony will pay heavily though a class
action suit, and in the marketplace. With a
little luck, maybe someone will even do some jail
time.